Administrator Role Separation Configuration

Applies To: Windows Server 2008

This section provides procedures for creating a local administrator role for an RODC and for adding a user to that role.

For more information about what is Administrator Role Separation, see RODC Features.

Administrative credentials

To initially configure Administrator Role Separation for an RODC, you must be a member of the Domain Admins group.

To configure Administrator Role Separation for an RODC

  1. Click Start, click Run, type cmd, and then press ENTER.

  2. At the command prompt, type dsmgmt.exe, and then press ENTER.

  3. At the DSMGMT prompt, type local roles, and then press ENTER.

  4. For a list of valid parameters, type ?, and then press ENTER.

    By default, no local administrator role is defined on the RODC after AD DS installation. To add the local administrator role, use the Add parameter.

  5. Type add <DOMAIN>\<user> <administrative role>

    For example, type add CONTOSO\testuser administrators


After a user has been added to the administrator role on an RODC, that user can log on locally and can further configure Administrator Role Separation.

The following table lists the parameters that are available for Administrator Role Separation.

Parameter Description

Add %s1 %s2

Adds an account %s1 to the local role %s2.


Connects to a specific Active Directory domain controller or an AD LDS instance.


Shows pertinent Help information.

List Roles

Lists defined local roles.


Returns to the previous menu.

Remove %s1 %s2

Removes an account %s1 from the local role %s2.

Show Role %s

Shows local role members.